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(54) Protection of computer networks against malicious content 



(57) A gateway Including an input for receiving com- 
munications packets, an output for outputting commu- 
nications packets generally in real time with respect to 
receipt thereof » a policy manager determining criteria for 
collection and inspection of a collection of packets and 
a packet collection agent receiving packets from the in> 
put in accordance with criteria established by the policy 



manager and including a content inspector inspecting 
the collection of packets in accordance with criteria es- 
tablished by the policy manager and being operative to 
prevent supply of at least one packet of a collection of 
packets to the output when the collection of packets in- 
cludes undesirable content in accordance with the- cri- 
teria established by the policy manager. 
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Description 

FIELD OF THE INVENTION 

[0001 1 The present invention relates to connputer net- 
work connmunications generally and nnore particularly to 
apparatus and methods for providing security in compu- 
ter network communications. 



BACKGROUND OF THE INVENTION 

[0002] There exist a large number of U.S. Patents 
which deal with security in computer network communi- 
cations. The following U.S. Patents and the references 
cited therein are believed to represent the state of the 
art: 5.951. 698; 5.918.008; 5,907,834; 5.892,904; 
5,889,943; 5.881 ,1 51 ; 5,859,966; 5,854,91 6; 5,842,002; 
5,832,208; 5,826,012; 5,822,517; 5.809,138; 5,802,277; 
5!748!940; 5,684,875; 5,679,525; 5,675,711 ; 5,666.411; 
6,657.473; 5,649.095; 5,623,600; 5,61 3,002; 5,537,540; 
5',511. 184; 5,111.163; 5,502,815; 5,485,575; 5,473.769; 
5.452,442; 5,398,196; 5,359,659; 5,319,776. 
[0003] Security in computer network communications 
deals with two general types of malicious content which 
may be communicated over a network to a computer: 
viruses and vandals. Viruses may be classified into a 
number of categories, such as file Infectors, file system 
vinjses. macro viruses and system/boot record infec- 
tors. 

[0004] Vandals are distinguished from viruses in that 
whereas viruses require a user to execute a program in 
order to cause damage, vandals are auto-executable I n- 
ternet applications and may cause immediate damage. 
Cun-ently the following types of vandals are known: Java 
applets. ActiveX objects, scripts and cookies. Vandals 
may hide in various types of communicated content, in- 
cluding Email: web content, legitimate sites and file 
downloads. 

[0005] It Is known to employ proxy servers to detect 
and prevent receipt of malicious content by a computer. 
Use of proxy servers for this type of application is de- 
scribed inter alia in the aforesaid U.S. Patents 
5,951,698; 5,889,943 & 5,623,600. The use of proxy 
servers forthls purpose has a number of disadvantages 
including non-real time operation, generation of network 
bottlenecks, requiring special configuration of each 
desktop and relative ease of bypass by a user. 

SUMMARY OF THE INVENTION 

[0006] The present invention seeks to provide appa- 
ratus and a method for protection of computers against 
malicious content generally in real time and without re- 
quiring the use of a proxy server. 
[0007] There is thus provided in accordance with a 
prefen-ed embodiment of the present invention a gate- 
way including an Input for receiving communications 
packets, an output for outputting communications pack- 
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ets generally in realtime with respect to receipt thereof , 
a policy manager determining criteria for collection and 
inspection of a collection of packets and a packet col- 
lection agent receiving packets from the input in accord- 
ance with criteria established by the policy manager and 
including a content inspector Inspecting the collection of 
packets in accordance with criteria established by the 
policy manager and being operative to prevent supply 
of at least one packet of a collection of packets to the 
output when the collection of packets includes undesir- 
able content in accordance with the criteria established 
by the policy manager 

[0008] There is also provided in accordance with a 
preferred embodiment of the present invention a meth- 
od for protecting a computer from malicious content 
comprising the steps of: 

determining criteria for collection and Inspection of 
a collection of packets; 

receiving packets from among the collection of 
packets in accordance with the criteria; 
inspecting the packets in accordance with the crite- 
ria; 

preventing output of at least one packet but not alt 
packets of a collection of packets when the collec- 
tion of packets includes undesirable content in ac- 
cordance with the criteria; and 
outputting packets other than the at least one pack- 
et generally in real time with respect to receipt there- 
of; 

[0009] In accordance with a preferred embodiment of 
the present invention, the at least one packet is the last 
packet of a file. 

BRIEF DESCRIPTION OF THE DRAWINGS 



[0010] The present invention will be understood and 
appreciated more fully from the following detailed de- 
40 scription, taken in conjunction with the drawings in 
which: 

Fig. 1 A is a simplified block diagram illustration of 
implementation of the Invention in a firewall-type 
configuration for checking Incoming Internet but not 
Intranet traffic; 

Fig. IB is a simplified block diagram illustration of 
Implementation of the invention for checking all In- 
coming communications; 

Fig. 2 Is a simplified block diagram Illustration of the 
use of multiple content inspectors by a single packet 
collection agent; and 

Fig. 3 is a simplified flow chart illustrating operation 
of a packet collection agent in accordance with a 
preferred embodiment of the present invention. 
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DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS 

[001 1 ] The present invention seeks to provide protec- 
tion of a computer against malicious content without re- 
quiring the use of a proxy server 
[0012] Reference is now made to Fig. 1 A, which is a 
simplified block diagram illustration of implementation 
of the invention in a firewall-type configuration for check- 
ing incoming Internet but not intranet traffic. As seen In 
Fig. 1 A, there is provided a typical computer 1 0 in which 
resides conventional TCP/IP routing software 12. Com- 
puter 10 is typically connected to a network 13. 
[0013] In accordance with a prefen^ed embodiment of 
the present invention a packet collection agent (PCA) 
14 is interposed between a network interface card (NIC) 
1 6 which receives Internet traffic and the TCP/I P routing 
software 1 2. In this embodiment, a separate NIC 1 8 han- 
dles intranet traffic and does not have a PCA interfaced 
between it and the TCP/IP routing software 12. 
[001 4] In accordance with a preferred embodiment of 
the present invention, the PCA 14 interfaces with policy 
manager software 20, which determines collection cri- 
toria, i.e. which typos of packets of which types of files 
are collected, and inspection criteria, i.e. which types of 
content in a file are not allowed to pass to or from net- 
work 13. 

[0015] Based on the criteria established by the policy 
manager software 20, the PCA 14 operates content in- 
spector software 22, which Inspects the packets of a file 
which fits the criteria for collection and inspection. The 
content inspector software 22 operates based on criteria 
established by the policy manager softvyare 20 arid re-, 
ports Its inspection findings to the PCA 14. Altemativefy, 
policy manager software 20 may be obviated. In such a 
case, the PCA 14 and the content inspector software 
are each programmed with suitable criteria. 
[0016] In accordance with a preferred embodiment of 
the invention, the PCA 14 does not delay transmittal of 
most packets, even of files that require inspection. Rath- 
er, while transmitting all but typically the last packet in a 
file, it operates content inspector software 22 to inspect 
the contents of the file. If the contents are found to be 
acceptable, typically the last packet is released. If the 
contents of a file are not found to be acceptable by the 
criteria typically established by the policy manager soft- 
ware 20, at least one packet, typically the last packet, 
is not released, preventing activation of the unaccepta- 
ble content by the computer 

[0017] Reference is now made to Fig. 1 B, which illus- 
trates implementation of the invention for checking all 
incoming communications along a network 28. In this 
Illustrated embodiment, as seen in Fig. 1 B, there is pro- 
vided a typical computer 30 on which resides TCP/IP 
software 32. In accordance with a preferred embodi- 
ment of the present invention, a packet collection agent 
(PCA) 34 is interposed between a network interface 
card (NIC) 36. which receives Internet and intranet traf- 



fic, and the TCP/IP software 32. 
[0018] In accordance with a preferred embodiment of 
the present invention, as in the embodiment of Fig. 1 A, 
the PCA 34 interfaces with policy manager software 40, 

s which detemnines collection criteria, i.e. which types of 
packets of which types of files are collected, and inspec- 
tion criteria, i.e. which types of content in a file are not 
allowed to pass to the computer. 
[0019] Based on the criteria typically established by 

10 the polby manager software 40. the PCA 34 operates 
content inspector software 42, which inspects the pack- 
ets of a file which fits the criteria for collection and in- 
spection. The content inspector software 42 operates 
typically based on criteria established by the policy man- 

is ager software 40 and reports its inspection findings to 
the PCA 34. 

[0020] In accordance with a preferred embodiment of 
the invention, the PCA 34 does not delay transmittal of 
most packets, even of files that require inspection. Rath- 

^ er while transmitting all but typically the last packet in a 
file, it operates content inspector software 42 to inspect 
the contents of the file. If the contents are found to be 
acceptable, typically the last packet is released. If the 
contents of a file arc not found to be acceptable by the 

25 criteria typically established by the policy manager soft- 
ware 40, at least one packet, typically the last packet, 
is not released, preventing activation of the unaccepta- 
ble content by the computer. 

[0021] Reference is now made to Fig. 2, which is a 
30 simplified block diagram illustration of the use of multiple 
content inspectors by a single packet collection agent. 
As illustrated in Fig. 2, a single PCA 50 may interface 
with a single policy manager 52, which may, in certain 
embodiments be obviated, and with a plurality of content 
35 inspectors 54 simultaneously. This type of an^angement 
may be particularly useful for handling high traffic vol- 
umes, 

[0022] Reference is now made to Fig. 3, which is a 
simplified flow chart illustrating operation of a PCA in 
40 accordance with a preferred embodiment of the present 

invention. 

[0023] As seen in Fig. 3, upon receipt of a packet, if 
the packet Is received in the context of an existing file 
and is not the last packet, the packet is simultaneously 
45 stored and released to Its destination, generally in real 
time. 

[0024] If the packet is the last packet in a file, the PCA 
typically obtains the inspection criteria from the policy 
manager and sends all of the packets in the file to a con- 

50 tent inspector for inspection in accordance with the in- 
spection policy typically established by the policy man- 
ager. If the file passes inspection, the last packet is re- 
leased as well. If not, the last packet is not released. 
[0025] If the packet is the first packet of a new file and 

55 thus is a control packet as opposed to a data packet, 
the PCA employs the collection criteria typically estab- 
lished by the polby manager to determine whether the 
file requires inspection. If not, the packet and all subse- 
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quent packets of that file are immediately released as 
they arrive. If the file is a type of file that Is not permitted, 
no packets are released. If, however, the file is a type 
of file that requires inspection, the packet is immediately 
released and the subsequent packets are inspected. 
[0026] It will be appreciated by persons skilled in the 
art that the present invention is not limited by what has 
been particularly shown and described hereinabove. 
Rather the scope of the present invention includes both 
combinations and subcombinations of various features 
described hereinabove and in the drawings as well as 
modifications and variations thereof which would occur 
to a person of ordinary skill in the art upon reading the 
foregoing description and which are not in the prior art. 
[0027] Where technical features mentioned in any 
claim are followed by reference signs, those reference 
signs have been Included for the sole purpose of in- 
creasing the Intelligibility of the claims and accordingly, 
such reference signs do not have any limiting effect on 
the scope of each element identified by way of example 
by such reference signs. 



Claims 

1 . A gateway comprising: 

an input for receiving communications packets; 
an output for outputting communications pack- 
ets generally in real time with respect to receipt 
thereof; 

a policy manager determining criteria forcollec- 
tion and inspection of a collection of packets; 
a packet collection agent receiving packets 
from said input in accordance with criteria es- 
tablished by said policy manager: and 
at least one content inspector operated by the 
packet collection agent and Inspecting said col- 
lection of packets in accordance with criteria 
established by said policy manager, 
said packet collection agent being operative to 
prevent supply of at least one packet of a col- 
lection of packets to said output when said col- 
lection of packets includes undesirable content 
in accordance with said criteria established by 
said policy manager. 

2. A gateway according to claim 1 and wherein said at 
least one packet is the last packet of a file. 

3. A gateway according to claim 1 or claim 2 and 
wherein said policy manager determines criteria 
whereby not alt files are inspected. 

4. A gateway according to any of claims 1 to 3 and 
wherein said packet collection agent inspects all 
packets of files that are to be inspected. 



6 

5. A gateway according to any of claims I to 4 and 
wherein said packet collection agent operates plu- 
ral content inspectors simultaneously. 

5 6. A gateway according to any of claims 1 to 5 and 
wherein said policy manager detennines criteria 
whereby some types of files are not released even 
without inspection by a content inspector. 

10 7. A gateway according to any of claims 1 to 6 and 
wherein said packet collection agent 
operates on Internet but not on intranet traffic. 

8. A gateway comprising : 

15 

an input for receiving communications packets; 
an output for outputting communications pack- 
ets generally In real time with respect to receipt 
thereof; and 

20 a packet collection agent receiving packets 

from said input in accordance with criteria es- 
tablished by said policy manager; and 
a content inspector operated by the packet col- 
lection agent for inspecting said collection of 

25 packets and being operative to prevent supply 

of at least one packet of a collection of packets 
to said output when said collection of packets 
includes undesirable content. 

30 9- A gateway according to claim 8 and wherein said at 
least one packet Is the last packet of a file. 

10. A gateway according to claim 8 and wherein a policy 
manager detennines criteria whereby not all files 

35 are inspected. 

1 1 . A method for protecting a computer from malicious 
content comprising the steps of: 

40 detennining criteria for collection and inspec- 

tion of a collection of packets; 
receiving packets from among the collection of 
packets in accordance with the criteria; 
inspecting the packets in accordance with the 

45 criteria; 

preventing output of at least one packet but not 
ail packets of a collection of packets when the 
collection of packets includes undesirable con- 
tent in accordance with the criteria; and 

50 outputting packets other than the at least one 

packet generally in real time with respect to re- 
ceipt thereof. 

12. A method according to claim 11 and wherein said 
55 at least one packet is the last packet of a file. 

13. A method according to claim 11 and wherein a pol- 
k:y manager determines criteria whereby not all files 
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are inspected. 

14. A method according to claim 11 and wherein a pack- 
et collection agent inspects all packets of files that 
are to be inspected. s 

15. A method according to claim 11 andwherein a pack- 
et collection agent operates plural content inspec- 
tors simultaneously. 

10 

16. A method according to claim 11 and wherein a pol- 
icy manager determines criteria whereby some 
types of files are not released even without inspec- 
tion by a content inspector. 

15 

17. A gateway according to claim 11 and wherein a 
packet collection agent operates on internet but not 
on intranet traffic. 
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teria for collection and inspection of a collection of pack- 
ets and a packet collection agent (14) receiving packets 
from the input in accordance with criteria established by 
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a collection of packets to the output when the collection 
of packets includes undesirable content in accordance 
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